After a bit of digging through the keycloak archives, I believe I've found

an answer to my own question. There is indeed a way to set up identity

brokering in keycloak with Salesforce, although the process

is not as straightforward as one would expect. To get the values for

ACS URL and Entity Id one should create a SAML 2.0 external IdP,

and then "Export" the IdP using the "Export" button.

--Peter

>Hello,

>I am trying to integrate keycloak and Salesforce using Salesforce

>as an identity provider. It seems some of the information required to

>properly set up the Salesforce as SAML IdP is missing in the keycloak's SAML

>identity provider configuration. For example, "Entity Id", according to the

>Salesforce documentation:

>"This value comes from the service provider.

>Each entity ID in an organization must be unique. If you’re accessing multiple

>apps from your service provider, you only need to define the service provider

>>once, and then use the RelayState parameter to append the URL values

>to direct the user to the correct app after signing in." (https://help.salesforce.com/HTViewHelpDoc?>id=service_provider_define.htm&language=en_US).

>The SAML identity provider configuration in keycloak does not have

>a setting to specify "Entity Id". Another missing attribute is "ACS URL"

>(The ACS, or assertion consumer service, URL comes from the SAML

>service provider.).

>Has anyone been able to set up Salesforce as IdP and keycloak

>as SP using keycloak's SAML identity provider? Is this even possible

>given that some required parameters are missing?

>Thx

>Peter